Kaspersky eggheads say they’ve spotted the first app containing hidden optical character recognition spyware in Apple’s App Store. Cunningly, the software nasty is designed to steal cryptocurrency.
The researchers found the malware in an iOS app called ComeCome, which is also available from Google’s Play store, and claims to offer food delivery services. According to Kaspersky’s Dmitry Kalinin and Sergey Puzan, the application also delivers the keys to victims’ crypto holdings to crooks.
The app can do that as, according to Kaspersky’s analysts this week, it is “embedded with a malicious SDK/framework” that at an unspecified moment decrypts an optical character recognition (OCR) plugin. Once that OCR code is running, the app hunts for screenshots on mobile devices in the hope that some include cryptocurrency wallet recovery phrases, aka seed phrases, that the OCR will extract and the spyware will exfiltrate.
With those stolen seed phrases in hand, the app’s masterminds can take control of victims’ wallets, and transfer funds out of them. That’s why your seed phrase needs to be kept a secret, offline and not as an image on your phone.
“Our investigation revealed that the attackers were targeting crypto wallet recovery phrases, which were sufficient for gaining full control over a victim’s crypto wallet to steal the funds,” Team Kaspersky wrote.
“Unfortunately, despite rigorous screening by the official marketplaces and general awareness of OCR-based crypto wallet theft scams, the infected apps still found their way into Google Play and the App Store,” the duo added, before noting the apps may have evaded checks because they offer “no indication of a malicious implant hidden within the app” and may appear harmless.
“This case once again shatters the myth that iOS is somehow impervious to threats posed by malicious apps,” they opined.
The duo dubbed the seed-snatching malware SparkCat, and noted it “is flexible enough to steal not just these phrases but also other sensitive data from the gallery, such as messages or passwords that might have been captured in screenshots.”
The cryptocurrency-stealing effort targets “at a minimum” Android and iOS users in Europe and Asia, says Team Kaspersky. More than one app in the Google Play store contains SparkCat, we’re told, and these were downloaded more than 242,000 times. Neither Google nor Apple responded to The Register‘s requests for comment.
The analysts cannot confirm whether SparkCat was slipped into these applications in a supply-chain attack or as a deliberate act by the apps’ developers. Apple has removed the malicious ComeCome application from the iOS store, says Kaspersky. We note it’s also disappeared from Google Play along with others named by the Russian lab.
SparkCat refers to a highly obfuscated module called Spark within the malicious apps. The spyware is mostly written in Java and uses an unidentified protocol implemented in Rust to communicate with its remote command-and-control (C2) server.
After connecting to its C2 server, the Android version of Spark downloads and uses a wrapper for the TextRecognizer interface in Google’s ML Kit library to perform the character extraction from images. The malware loads different OCR models depending on the system language that recognizes Latin, Korean, Chinese, or Japanese characters in pictures.
If a mark engages with a poisoned app’s support team – interactions made possible with the legitimate third-party Easemob HelpDesk SDK – the software requests access to the device’s photo gallery. If access is granted, it scans screenshots using OCR to extract crypto wallet recovery phrases and sends them to the C2 server.
The app’s developers are therefore hoping users do two things: Grant access to the gallery after taking screenshots of recovery phrases. Sadly, it appears there are enough users who will make those mistakes to make the effort of creating these apps worthwhile. ®
